Merge "fc_sort: cleanup warnings caught by clang tidy / static analyzer."
diff --git a/Android.mk b/Android.mk
index 6a4b8a4..7bfe1a7 100644
--- a/Android.mk
+++ b/Android.mk
@@ -26,13 +26,49 @@
LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
endif
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS and the LOCAL_PATH.
-# $(1): the set of policy name paths to build
-build_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+# sepolicy is now divided into multiple portions:
+# public - policy exported on which non-platform policy developers may write
+# additional policy. types and attributes are versioned and included in
+# delivered non-platform policy, which is to be combined with platform policy.
+# private - platform-only policy required for platform functionality but which
+# is not exported to vendor policy developers and as such may not be assumed
+# to exist.
+# mapping - TODO. This contains policy statements which map the attributes
+# exposed in the public policy of previous versions to the concrete types used
+# in this policy to ensure that policy targeting attributes from public
+# policy from an older platform version continues to work.
+
+# TODO - build process for device:
+# 1) convert policies to CIL:
+# - private + public platform policy to CIL
+# - mapping file to CIL (should already be in CIL form)
+# - non-platform public policy to CIL
+# - non-platform public + private policy to CIL
+# 2) attributize policy
+# - TODO: do this for platform policy?
+# - run script which takes non-platform public and non-platform combined
+# private + public policy and produces attributized and versioned
+# non-platform policy
+# 3) combine policy files
+# - combine mapping, platform and non-platform policy.
+# - compile output binary policy file
+
+PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+
+###########################################################
+# Compute policy files to be used in policy build.
+# $(1): files to include
+# $(2): directories in which to find files
+###########################################################
+
+define build_policy
+$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
+endef
# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_device_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+build_device_policy = $(call build_policy, $(1), $(BOARD_SEPOLICY_DIRS))
# Add a file containing only a newline in-between each policy configuration
# 'contexts' file. This will allow OEM policy configuration files without a
@@ -92,11 +128,28 @@
include $(BUILD_SYSTEM)/base_rules.mk
+platform_policy.conf := $(intermediates)/plat_policy.conf
+$(platform_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(platform_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(platform_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(platform_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+# TODO: add steps for non-platform public and combined files with checkpolicy
+# support. b/31932523
+
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
+$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -135,7 +188,8 @@
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy_recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
+$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -168,12 +222,10 @@
include $(BUILD_SYSTEM)/base_rules.mk
-exp_sepolicy_build_files :=\
- $(foreach file, $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)), $(sort $(wildcard $(file))))
-
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
+$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=user \
@@ -223,9 +275,9 @@
# Note: That a newline file is placed between each file_context file found to
# ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(LOCAL_PATH)/file_contexts
+local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files := $(local_fc_files) $(LOCAL_PATH)/file_contexts_asan
+ local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -281,7 +333,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
general_file_contexts.tmp := $(intermediates)/general_file_contexts.tmp
-$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts)
+$(general_file_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, file_contexts)
@mkdir -p $(dir $@)
$(hide) m4 -s $< > $@
@@ -302,7 +354,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_sc_files := $(call build_policy, seapp_contexts)
+all_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files)
@@ -321,7 +373,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_sc_files := $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+all_sc_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files)
@@ -339,7 +391,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+$(LOCAL_BUILT_MODULE): $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
@mkdir -p $(dir $@)
- $(hide) grep -ie '^neverallow' $< > $@
@@ -354,7 +406,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_pc_files := $(call build_policy, property_contexts)
+all_pc_files := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
all_pcfiles_with_nl := $(call add_nl, $(all_pc_files), $(built_nl))
property_contexts.tmp := $(intermediates)/property_contexts.tmp
@@ -386,7 +438,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
general_property_contexts.tmp := $(intermediates)/general_property_contexts.tmp
-$(general_property_contexts.tmp): $(addprefix $(LOCAL_PATH)/, property_contexts)
+$(general_property_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, property_contexts)
@mkdir -p $(dir $@)
$(hide) m4 -s $< > $@
@@ -408,7 +460,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_svc_files := $(call build_policy, service_contexts)
+all_svc_files := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
all_svcfiles_with_nl := $(call add_nl, $(all_svc_files), $(built_nl))
service_contexts.tmp := $(intermediates)/service_contexts.tmp
@@ -439,7 +491,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
general_service_contexts.tmp := $(intermediates)/general_service_contexts.tmp
-$(general_service_contexts.tmp): $(addprefix $(LOCAL_PATH)/, service_contexts)
+$(general_service_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, service_contexts)
@mkdir -p $(dir $@)
$(hide) m4 -s $< > $@
@@ -464,11 +516,11 @@
# Build keys.conf
mac_perms_keys.tmp := $(intermediates)/keys.tmp
$(mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(mac_perms_keys.tmp): $(call build_policy, keys.conf)
+$(mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE))
+all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE), $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
# Should be synced with keys.conf.
all_keys := platform media shared testkey
diff --git a/autoplay_app.te b/autoplay_app.te
deleted file mode 100644
index f671d5d..0000000
--- a/autoplay_app.te
+++ /dev/null
@@ -1,109 +0,0 @@
-###
-### AutoPlay apps.
-###
-### This file defines the security policy for apps with the autoplay
-### feature.
-###
-### The autoplay_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to autoplay to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as autoplay at install time.
-type autoplay_app, domain;
-
-# allow JITing
-allow autoplay_app self:process execmem;
-allow autoplay_app ashmem_device:chr_file execute;
-
-# Define and allow access to our own type for ashmem regions.
-# Label ashmem objects with our own unique type.
-tmpfs_domain(autoplay_app)
-# Map with PROT_EXEC.
-allow autoplay_app autoplay_app_tmpfs:file execute;
-
-# Read system properties managed by zygote.
-allow autoplay_app zygote_tmpfs:file read;
-
-# Send logcat messages to logd.
-write_logd(autoplay_app)
-
-# Receive and use open file descriptors inherited from zygote.
-allow autoplay_app zygote:fd use;
-
-# Notify zygote of death;
-allow autoplay_app zygote:process sigchld;
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow autoplay_app zygote:unix_dgram_socket write;
-
-# App sandbox file accesses.
-allow autoplay_app autoplay_data_file:dir create_dir_perms;
-allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;
-
-# For art.
-allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
-allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
-allow autoplay_app dalvikcache_data_file:dir getattr;
-
-# Grant GPU access. autoplay_app needs that to render the standard UI.
-allow autoplay_app gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(autoplay_app)
-# Perform binder IPC to binder services.
-binder_call(autoplay_app, surfaceflinger)
-binder_call(autoplay_app, system_server)
-
-# Allow read access to ion memory allocation device
-allow autoplay_app ion_device:chr_file { read open };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow autoplay_app system_server:fifo_file rw_file_perms;
-allow autoplay_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow autoplay_app system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Inherit or receive open files from system_server.
-allow autoplay_app system_server:fd use;
-
-# Communicate with surfaceflinger.
-allow autoplay_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Read files already opened under /data.
-allow autoplay_app system_data_file:file { getattr read };
-allow autoplay_app system_data_file:lnk_file read;
-
-# System file accesses. Check for libraries
-allow autoplay_app system_file:dir getattr;
-
-# services
-allow autoplay_app accessibility_service:service_manager find;
-allow autoplay_app activity_service:service_manager find;
-allow autoplay_app assetatlas_service:service_manager find;
-allow autoplay_app connectivity_service:service_manager find;
-allow autoplay_app display_service:service_manager find;
-allow autoplay_app graphicsstats_service:service_manager find;
-allow autoplay_app input_method_service:service_manager find;
-allow autoplay_app input_service:service_manager find;
-allow autoplay_app surfaceflinger_service:service_manager find;
-allow autoplay_app textservices_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow autoplay_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow autoplay_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow autoplay_app debugfs:file read;
-
-# execute gpu_device
-neverallow autoplay_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow autoplay_app sysfs:file *;
diff --git a/access_vectors b/private/access_vectors
similarity index 100%
rename from access_vectors
rename to private/access_vectors
diff --git a/private/adbd.te b/private/adbd.te
new file mode 100644
index 0000000..cabaf66
--- /dev/null
+++ b/private/adbd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(adbd, shell_exec, shell)
diff --git a/private/android_hardware_audio_2_0_service.te b/private/android_hardware_audio_2_0_service.te
new file mode 100644
index 0000000..8a29255
--- /dev/null
+++ b/private/android_hardware_audio_2_0_service.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(android_hardware_audio_2_0_service)
diff --git a/private/android_hardware_nfc_1_0_service.te b/private/android_hardware_nfc_1_0_service.te
new file mode 100644
index 0000000..43368f8
--- /dev/null
+++ b/private/android_hardware_nfc_1_0_service.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(android_hardware_nfc_1_0_service)
diff --git a/private/android_hardware_vibrator_service.te b/private/android_hardware_vibrator_service.te
new file mode 100644
index 0000000..ca8cc24
--- /dev/null
+++ b/private/android_hardware_vibrator_service.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(android_hardware_vibrator_service)
diff --git a/private/android_hardware_vr.te b/private/android_hardware_vr.te
new file mode 100644
index 0000000..65ab4ee
--- /dev/null
+++ b/private/android_hardware_vr.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(android_hardware_vr)
diff --git a/atrace.te b/private/atrace.te
similarity index 100%
rename from atrace.te
rename to private/atrace.te
diff --git a/private/audioserver.te b/private/audioserver.te
new file mode 100644
index 0000000..6417858
--- /dev/null
+++ b/private/audioserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(audioserver)
diff --git a/private/bluetooth.te b/private/bluetooth.te
new file mode 100644
index 0000000..0abaee6
--- /dev/null
+++ b/private/bluetooth.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
diff --git a/private/bootanim.te b/private/bootanim.te
new file mode 100644
index 0000000..94fbc1f
--- /dev/null
+++ b/private/bootanim.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
new file mode 100644
index 0000000..caa82fd
--- /dev/null
+++ b/private/bootstat.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(bootstat)
diff --git a/private/cameraserver.te b/private/cameraserver.te
new file mode 100644
index 0000000..b34d746
--- /dev/null
+++ b/private/cameraserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(cameraserver)
diff --git a/private/cppreopts.te b/private/cppreopts.te
new file mode 100644
index 0000000..02c13b3
--- /dev/null
+++ b/private/cppreopts.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/private/debuggerd.te b/private/debuggerd.te
new file mode 100644
index 0000000..bd835af
--- /dev/null
+++ b/private/debuggerd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(debuggerd)
diff --git a/private/dhcp.te b/private/dhcp.te
new file mode 100644
index 0000000..6745189
--- /dev/null
+++ b/private/dhcp.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/drmserver.te b/private/drmserver.te
new file mode 100644
index 0000000..340c454
--- /dev/null
+++ b/private/drmserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(drmserver)
diff --git a/private/dumpstate.te b/private/dumpstate.te
new file mode 100644
index 0000000..ad646f4
--- /dev/null
+++ b/private/dumpstate.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
new file mode 100644
index 0000000..939737b
--- /dev/null
+++ b/private/ephemeral_app.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Define and allow access to our own type for ashmem regions.
+# Label ashmem objects with our own unique type.
+tmpfs_domain(ephemeral_app)
diff --git a/file_contexts b/private/file_contexts
similarity index 96%
rename from file_contexts
rename to private/file_contexts
index 41ab949..a53c5b1 100644
--- a/file_contexts
+++ b/private/file_contexts
@@ -95,6 +95,8 @@
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
+/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
+/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
@@ -147,6 +149,7 @@
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/tune2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
@@ -166,6 +169,7 @@
/system/bin/wificond u:object_r:wificond_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
+/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:android_hardware_audio_2_0_service_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
@@ -219,6 +223,8 @@
/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android.hardware.nfc@1.0-service u:object_r:android_hardware_nfc_1_0_service_exec:s0
+/system/bin/hw/android.hardware.vibrator@1.0-service u:object_r:android_hardware_vibrator_service_exec:s0
+/system/bin/hw/android.hardware.vr@1.0-service u:object_r:android_hardware_vr_exec:s0
#############################
# Vendor files
@@ -269,6 +275,7 @@
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
@@ -381,6 +388,7 @@
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
#############################
# debugfs files
diff --git a/file_contexts_asan b/private/file_contexts_asan
similarity index 100%
rename from file_contexts_asan
rename to private/file_contexts_asan
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
new file mode 100644
index 0000000..a733cab
--- /dev/null
+++ b/private/fingerprintd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(fingerprintd)
diff --git a/fs_use b/private/fs_use
similarity index 100%
rename from fs_use
rename to private/fs_use
diff --git a/private/fsck.te b/private/fsck.te
new file mode 100644
index 0000000..f3f4c52
--- /dev/null
+++ b/private/fsck.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(fsck)
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
new file mode 100644
index 0000000..d050c2e
--- /dev/null
+++ b/private/gatekeeperd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(gatekeeperd)
diff --git a/genfs_contexts b/private/genfs_contexts
similarity index 100%
rename from genfs_contexts
rename to private/genfs_contexts
diff --git a/private/hci_attach.te b/private/hci_attach.te
new file mode 100644
index 0000000..c8ba3f6
--- /dev/null
+++ b/private/hci_attach.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hci_attach)
\ No newline at end of file
diff --git a/private/hostapd.te b/private/hostapd.te
new file mode 100644
index 0000000..d895f29
--- /dev/null
+++ b/private/hostapd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hostapd)
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
new file mode 100644
index 0000000..e15d13d
--- /dev/null
+++ b/private/hwservicemanager.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hwservicemanager)
diff --git a/private/init.te b/private/init.te
new file mode 100644
index 0000000..c235454
--- /dev/null
+++ b/private/init.te
@@ -0,0 +1,18 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, adbd)
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+recovery_only(`
+ domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logd)
+')
diff --git a/initial_sid_contexts b/private/initial_sid_contexts
similarity index 100%
rename from initial_sid_contexts
rename to private/initial_sid_contexts
diff --git a/initial_sids b/private/initial_sids
similarity index 100%
rename from initial_sids
rename to private/initial_sids
diff --git a/private/inputflinger.te b/private/inputflinger.te
new file mode 100644
index 0000000..0d3782f
--- /dev/null
+++ b/private/inputflinger.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(inputflinger)
\ No newline at end of file
diff --git a/private/install_recovery.te b/private/install_recovery.te
new file mode 100644
index 0000000..b9b402b
--- /dev/null
+++ b/private/install_recovery.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
new file mode 100644
index 0000000..50b3821
--- /dev/null
+++ b/private/installd.te
@@ -0,0 +1,12 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(installd)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
diff --git a/private/kernel.te b/private/kernel.te
new file mode 100644
index 0000000..1c2223e
--- /dev/null
+++ b/private/kernel.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(kernel, init_exec, init)
diff --git a/keys.conf b/private/keys.conf
similarity index 100%
rename from keys.conf
rename to private/keys.conf
diff --git a/private/keystore.te b/private/keystore.te
new file mode 100644
index 0000000..70ad3b2
--- /dev/null
+++ b/private/keystore.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(keystore)
diff --git a/private/lmkd.te b/private/lmkd.te
new file mode 100644
index 0000000..a5d0d77
--- /dev/null
+++ b/private/lmkd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
new file mode 100644
index 0000000..52600ac
--- /dev/null
+++ b/private/logd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(logd)
diff --git a/mac_permissions.xml b/private/mac_permissions.xml
similarity index 100%
rename from mac_permissions.xml
rename to private/mac_permissions.xml
diff --git a/private/mdnsd.te b/private/mdnsd.te
new file mode 100644
index 0000000..54659d1
--- /dev/null
+++ b/private/mdnsd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mdnsd)
diff --git a/private/mediacodec.te b/private/mediacodec.te
new file mode 100644
index 0000000..7f88433
--- /dev/null
+++ b/private/mediacodec.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
new file mode 100644
index 0000000..5a8e744
--- /dev/null
+++ b/private/mediadrmserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediadrmserver)
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
new file mode 100644
index 0000000..8596c14
--- /dev/null
+++ b/private/mediaextractor.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediaextractor)
diff --git a/private/mediaserver.te b/private/mediaserver.te
new file mode 100644
index 0000000..74b11b0
--- /dev/null
+++ b/private/mediaserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediaserver)
diff --git a/mls b/private/mls
similarity index 100%
rename from mls
rename to private/mls
diff --git a/mls_macros b/private/mls_macros
similarity index 100%
rename from mls_macros
rename to private/mls_macros
diff --git a/private/mtp.te b/private/mtp.te
new file mode 100644
index 0000000..69e1353
--- /dev/null
+++ b/private/mtp.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
new file mode 100644
index 0000000..cc87dcb
--- /dev/null
+++ b/private/netd.te
@@ -0,0 +1,9 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
new file mode 100644
index 0000000..8e54a79
--- /dev/null
+++ b/private/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
new file mode 100644
index 0000000..519c342
--- /dev/null
+++ b/private/otapreopt_slot.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
diff --git a/perfprofd.te b/private/perfprofd.te
similarity index 100%
rename from perfprofd.te
rename to private/perfprofd.te
diff --git a/policy_capabilities b/private/policy_capabilities
similarity index 100%
rename from policy_capabilities
rename to private/policy_capabilities
diff --git a/port_contexts b/private/port_contexts
similarity index 100%
rename from port_contexts
rename to private/port_contexts
diff --git a/private/postinstall.te b/private/postinstall.te
new file mode 100644
index 0000000..47bf320
--- /dev/null
+++ b/private/postinstall.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
new file mode 100644
index 0000000..7596465
--- /dev/null
+++ b/private/postinstall_dexopt.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
new file mode 100644
index 0000000..befc20e
--- /dev/null
+++ b/private/ppp.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/property_contexts b/private/property_contexts
similarity index 100%
rename from property_contexts
rename to private/property_contexts
diff --git a/private/racoon.te b/private/racoon.te
new file mode 100644
index 0000000..3eeb815
--- /dev/null
+++ b/private/racoon.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(racoon)
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
new file mode 100644
index 0000000..3b74629
--- /dev/null
+++ b/private/recovery_persist.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(recovery_persist)
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
new file mode 100644
index 0000000..8204465
--- /dev/null
+++ b/private/recovery_refresh.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(recovery_refresh)
diff --git a/private/rild.te b/private/rild.te
new file mode 100644
index 0000000..ac6a05d
--- /dev/null
+++ b/private/rild.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(rild)
diff --git a/roles b/private/roles
similarity index 100%
rename from roles
rename to private/roles
diff --git a/private/runas.te b/private/runas.te
new file mode 100644
index 0000000..d791501
--- /dev/null
+++ b/private/runas.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
new file mode 100644
index 0000000..55915fe
--- /dev/null
+++ b/private/sdcardd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/seapp_contexts b/private/seapp_contexts
similarity index 91%
rename from seapp_contexts
rename to private/seapp_contexts
index 5d5ad75..6349a97 100644
--- a/seapp_contexts
+++ b/private/seapp_contexts
@@ -1,6 +1,6 @@
# Input selectors:
# isSystemServer (boolean)
-# isAutoPlayApp (boolean)
+# isEphemeralApp (boolean)
# isOwner (boolean)
# user (string)
# seinfo (string)
@@ -9,7 +9,7 @@
# isPrivApp (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
-# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
+# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
@@ -24,7 +24,7 @@
#
# Precedence rules:
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
# (3) Specified isOwner= before unspecified isOwner= boolean.
# (4) Specified user= string before unspecified user= string.
# (5) Fixed user= string before user= prefix (i.e. ending in *).
@@ -82,8 +82,8 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
-# AutoPlay Apps must run in the autoplay_app domain
-neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
+# Ephemeral Apps must run in the ephemeral_app domain
+neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -94,6 +94,6 @@
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
+user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/security_classes b/private/security_classes
similarity index 100%
rename from security_classes
rename to private/security_classes
diff --git a/service_contexts b/private/service_contexts
similarity index 97%
rename from service_contexts
rename to private/service_contexts
index 6111c37..ff9305b 100644
--- a/service_contexts
+++ b/private/service_contexts
@@ -9,6 +9,7 @@
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
audio u:object_r:audio_service:s0
+autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
batteryproperties u:object_r:batteryproperties_service:s0
batterystats u:object_r:batterystats_service:s0
@@ -22,6 +23,7 @@
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
connectivity u:object_r:connectivity_service:s0
+connectivity_metrics_logger u:object_r:connectivity_metrics_logger_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
@@ -95,7 +97,6 @@
notification u:object_r:notification_service:s0
otadexopt u:object_r:otadexopt_service:s0
package u:object_r:package_service:s0
-sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
@@ -116,6 +117,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
@@ -147,6 +149,7 @@
wifiscanner u:object_r:wifiscanner_service:s0
wifi u:object_r:wifi_service:s0
wificond u:object_r:wificond_service:s0
+wifinan u:object_r:wifinan_service:s0
window u:object_r:window_service:s0
wpa u:object_r:wpa_supplicant_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
new file mode 100644
index 0000000..1514b0f
--- /dev/null
+++ b/private/servicemanager.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(servicemanager)
diff --git a/su.te b/private/su.te
similarity index 100%
rename from su.te
rename to private/su.te
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
new file mode 100644
index 0000000..ae8ab08
--- /dev/null
+++ b/private/surfaceflinger.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(surfaceflinger)
diff --git a/private/system_server.te b/private/system_server.te
new file mode 100644
index 0000000..bab3d72
--- /dev/null
+++ b/private/system_server.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+# Create a socket for connections from debuggerd.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
diff --git a/private/tee.te b/private/tee.te
new file mode 100644
index 0000000..17b276f
--- /dev/null
+++ b/private/tee.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(tee)
diff --git a/private/toolbox.te b/private/toolbox.te
new file mode 100644
index 0000000..fd43d5e
--- /dev/null
+++ b/private/toolbox.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
new file mode 100644
index 0000000..ee67bb2
--- /dev/null
+++ b/private/tzdatacheck.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
new file mode 100644
index 0000000..5034db7
--- /dev/null
+++ b/private/ueventd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
new file mode 100644
index 0000000..e2b919c
--- /dev/null
+++ b/private/uncrypt.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
new file mode 100644
index 0000000..01199eb
--- /dev/null
+++ b/private/update_engine.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(update_engine);
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
new file mode 100644
index 0000000..a7fb584
--- /dev/null
+++ b/private/update_engine_common.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/private/update_verifier.te b/private/update_verifier.te
new file mode 100644
index 0000000..c5f110b
--- /dev/null
+++ b/private/update_verifier.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(update_verifier)
diff --git a/users b/private/users
similarity index 100%
rename from users
rename to private/users
diff --git a/private/vdc.te b/private/vdc.te
new file mode 100644
index 0000000..877e913
--- /dev/null
+++ b/private/vdc.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(vdc)
diff --git a/private/vold.te b/private/vold.te
new file mode 100644
index 0000000..b2495f6
--- /dev/null
+++ b/private/vold.te
@@ -0,0 +1,19 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/private/wifi_hal_legacy.te b/private/wifi_hal_legacy.te
new file mode 100644
index 0000000..cb2c6da
--- /dev/null
+++ b/private/wifi_hal_legacy.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wifi_hal_legacy)
diff --git a/private/wificond.te b/private/wificond.te
new file mode 100644
index 0000000..2e89975
--- /dev/null
+++ b/private/wificond.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wificond)
diff --git a/private/wpa.te b/private/wpa.te
new file mode 100644
index 0000000..4bf29cf
--- /dev/null
+++ b/private/wpa.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wpa)
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:dir wpa_socket "sockets";
diff --git a/private/zygote.te b/private/zygote.te
new file mode 100644
index 0000000..bab15c7
--- /dev/null
+++ b/private/zygote.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(zygote)
diff --git a/adbd.te b/public/adbd.te
similarity index 93%
rename from adbd.te
rename to public/adbd.te
index 45bed8e..675219a 100644
--- a/adbd.te
+++ b/public/adbd.te
@@ -7,8 +7,6 @@
allow adbd su:process dyntransition;
')
-domain_auto_trans(adbd, shell_exec, shell)
-
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
@@ -82,9 +80,9 @@
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd { app_data_file autoplay_data_file }:dir search;
-allow adbd { app_data_file autoplay_data_file }:sock_file write;
-allow adbd { appdomain autoplay_app }:unix_stream_socket connectto;
+allow adbd { app_data_file ephemeral_data_file }:dir search;
+allow adbd { app_data_file ephemeral_data_file }:sock_file write;
+allow adbd { appdomain ephemeral_app }:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
diff --git a/public/android_hardware_audio_2_0_service.te b/public/android_hardware_audio_2_0_service.te
new file mode 100644
index 0000000..9da62c8
--- /dev/null
+++ b/public/android_hardware_audio_2_0_service.te
@@ -0,0 +1,36 @@
+# android_hardware_audio_2_0_service - audio services daemon
+type android_hardware_audio_2_0_service, domain;
+type android_hardware_audio_2_0_service_exec, exec_type, file_type;
+
+hwbinder_use(android_hardware_audio_2_0_service)
+binder_call(android_hardware_audio_2_0_service, audioserver)
+
+allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;
+
+allow android_hardware_audio_2_0_service system_file:dir { open read };
+
+userdebug_or_eng(`
+ # used for pcm capture for debug.
+ allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
+ allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
+')
+
+r_dir_file(android_hardware_audio_2_0_service, proc)
+allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
+allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# android_hardware_audio_2_0_service should never execute any executable without
+# a domain transition
+neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;
+
+# android_hardware_audio_2_0_service should never need network access.
+# Disallow network sockets.
+neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;
\ No newline at end of file
diff --git a/android_hardware_nfc_1_0_service.te b/public/android_hardware_nfc_1_0_service.te
similarity index 89%
rename from android_hardware_nfc_1_0_service.te
rename to public/android_hardware_nfc_1_0_service.te
index f980da4..79da53b 100644
--- a/android_hardware_nfc_1_0_service.te
+++ b/public/android_hardware_nfc_1_0_service.te
@@ -2,9 +2,6 @@
type android_hardware_nfc_1_0_service, domain;
type android_hardware_nfc_1_0_service_exec, exec_type, file_type;
-# may be started by init
-init_daemon_domain(android_hardware_nfc_1_0_service)
-
# hwbinder access
hwbinder_use(android_hardware_nfc_1_0_service)
diff --git a/public/android_hardware_vibrator_service.te b/public/android_hardware_vibrator_service.te
new file mode 100644
index 0000000..37381e8
--- /dev/null
+++ b/public/android_hardware_vibrator_service.te
@@ -0,0 +1,9 @@
+# vibrator subsystem
+type android_hardware_vibrator_service, domain;
+type android_hardware_vibrator_service_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(android_hardware_vibrator_service)
+
+# vibrator sysfs rw access
+allow android_hardware_vibrator_service sysfs_vibrator:file rw_file_perms;
diff --git a/public/android_hardware_vr.te b/public/android_hardware_vr.te
new file mode 100644
index 0000000..f6651c5
--- /dev/null
+++ b/public/android_hardware_vr.te
@@ -0,0 +1,9 @@
+# vr subsystem
+type android_hardware_vr, domain;
+type android_hardware_vr_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(android_hardware_vr)
+
+# call into system_server process
+binder_call(android_hardware_vr, system_server)
diff --git a/app.te b/public/app.te
similarity index 93%
rename from app.te
rename to public/app.te
index 0617e73..985e358 100644
--- a/app.te
+++ b/public/app.te
@@ -37,8 +37,8 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow appdomain rootfs:lnk_file r_file_perms;
-allow appdomain tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow appdomain tmpfs:dir r_dir_perms;
@@ -174,36 +174,36 @@
allow appdomain system_data_file:file { getattr read };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow appdomain media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow appdomain radio_data_file:file { read write getattr };
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:lnk_file r_file_perms;
-allow appdomain mnt_user_file:dir r_dir_perms;
-allow appdomain mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow appdomain fuse:dir create_dir_perms;
-allow appdomain fuse:file create_file_perms;
-allow appdomain sdcardfs:dir create_dir_perms;
-allow appdomain sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app } sdcardfs:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
-allow appdomain vfat:dir r_dir_perms;
-allow appdomain vfat:file rw_file_perms;
+allow { appdomain -isolated_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app } vfat:file rw_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow appdomain usb_device:chr_file { read write getattr ioctl };
-allow appdomain usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app } usbaccessory_device:chr_file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
diff --git a/attributes b/public/attributes
similarity index 100%
rename from attributes
rename to public/attributes
diff --git a/audioserver.te b/public/audioserver.te
similarity index 92%
rename from audioserver.te
rename to public/audioserver.te
index da12649..5dea1b3 100644
--- a/audioserver.te
+++ b/public/audioserver.te
@@ -2,15 +2,16 @@
type audioserver, domain;
type audioserver_exec, exec_type, file_type;
-init_daemon_domain(audioserver)
-
r_dir_file(audioserver, sdcard_type)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, { appdomain autoplay_app })
+binder_call(audioserver, { appdomain ephemeral_app })
binder_service(audioserver)
+hwbinder_use(audioserver)
+binder_call(audioserver, android_hardware_audio_2_0_service)
+
r_dir_file(audioserver, proc)
allow audioserver ion_device:chr_file r_file_perms;
allow audioserver system_file:dir r_dir_perms;
diff --git a/binderservicedomain.te b/public/binderservicedomain.te
similarity index 100%
rename from binderservicedomain.te
rename to public/binderservicedomain.te
diff --git a/blkid.te b/public/blkid.te
similarity index 100%
rename from blkid.te
rename to public/blkid.te
diff --git a/blkid_untrusted.te b/public/blkid_untrusted.te
similarity index 100%
rename from blkid_untrusted.te
rename to public/blkid_untrusted.te
diff --git a/bluetooth.te b/public/bluetooth.te
similarity index 96%
rename from bluetooth.te
rename to public/bluetooth.te
index d8448a6..332d2ab 100644
--- a/bluetooth.te
+++ b/public/bluetooth.te
@@ -14,7 +14,6 @@
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
allow bluetooth bluetooth_socket:sock_file create_file_perms;
# bluetooth factory file accesses.
diff --git a/bluetoothdomain.te b/public/bluetoothdomain.te
similarity index 100%
rename from bluetoothdomain.te
rename to public/bluetoothdomain.te
diff --git a/boot_control_hal.te b/public/boot_control_hal.te
similarity index 100%
rename from boot_control_hal.te
rename to public/boot_control_hal.te
diff --git a/bootanim.te b/public/bootanim.te
similarity index 96%
rename from bootanim.te
rename to public/bootanim.te
index e18654c..abbcaca 100644
--- a/bootanim.te
+++ b/public/bootanim.te
@@ -2,8 +2,6 @@
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
-init_daemon_domain(bootanim)
-
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
binder_call(bootanim, audioserver)
diff --git a/bootstat.te b/public/bootstat.te
similarity index 91%
rename from bootstat.te
rename to public/bootstat.te
index 44a8c91..82d730c 100644
--- a/bootstat.te
+++ b/public/bootstat.te
@@ -2,8 +2,6 @@
type bootstat, domain;
type bootstat_exec, exec_type, file_type;
-init_daemon_domain(bootstat)
-
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
diff --git a/cameraserver.te b/public/cameraserver.te
similarity index 97%
rename from cameraserver.te
rename to public/cameraserver.te
index c12b1a2..b12d17c 100644
--- a/cameraserver.te
+++ b/public/cameraserver.te
@@ -2,8 +2,6 @@
type cameraserver, domain;
type cameraserver_exec, exec_type, file_type;
-init_daemon_domain(cameraserver)
-
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
binder_call(cameraserver, appdomain)
diff --git a/clatd.te b/public/clatd.te
similarity index 100%
rename from clatd.te
rename to public/clatd.te
diff --git a/cppreopts.te b/public/cppreopts.te
similarity index 80%
rename from cppreopts.te
rename to public/cppreopts.te
index 66df7ee..8cbf801 100644
--- a/cppreopts.te
+++ b/public/cppreopts.te
@@ -7,12 +7,6 @@
type cppreopts, domain, mlstrustedsubject;
type cppreopts_exec, exec_type, file_type;
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
-
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
diff --git a/debuggerd.te b/public/debuggerd.te
similarity index 97%
rename from debuggerd.te
rename to public/debuggerd.te
index 80d3f5c..da1314a 100644
--- a/debuggerd.te
+++ b/public/debuggerd.te
@@ -2,7 +2,6 @@
type debuggerd, domain, domain_deprecated;
type debuggerd_exec, exec_type, file_type;
-init_daemon_domain(debuggerd)
typeattribute debuggerd mlstrustedsubject;
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
allow debuggerd self:capability2 { syslog };
diff --git a/device.te b/public/device.te
similarity index 97%
rename from device.te
rename to public/device.te
index 7e0073f..b4ca618 100644
--- a/device.te
+++ b/public/device.te
@@ -4,6 +4,8 @@
type adb_device, dev_type;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
+type audio_timer_device, dev_type;
+type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type block_device, dev_type;
diff --git a/dex2oat.te b/public/dex2oat.te
similarity index 100%
rename from dex2oat.te
rename to public/dex2oat.te
diff --git a/dhcp.te b/public/dhcp.te
similarity index 91%
rename from dhcp.te
rename to public/dhcp.te
index a051b19..6b9fb4a 100644
--- a/dhcp.te
+++ b/public/dhcp.te
@@ -2,7 +2,6 @@
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
-init_daemon_domain(dhcp)
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
@@ -21,7 +20,6 @@
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
diff --git a/dnsmasq.te b/public/dnsmasq.te
similarity index 100%
rename from dnsmasq.te
rename to public/dnsmasq.te
diff --git a/domain.te b/public/domain.te
similarity index 99%
rename from domain.te
rename to public/domain.te
index fcd33af..b464fc6 100644
--- a/domain.te
+++ b/public/domain.te
@@ -299,7 +299,7 @@
neverallow {
domain
-appdomain
- -autoplay_app
+ -ephemeral_app
-dumpstate
-shell
userdebug_or_eng(`-su')
diff --git a/domain_deprecated.te b/public/domain_deprecated.te
similarity index 100%
rename from domain_deprecated.te
rename to public/domain_deprecated.te
diff --git a/drmserver.te b/public/drmserver.te
similarity index 91%
rename from drmserver.te
rename to public/drmserver.te
index d0adf46..6512915 100644
--- a/drmserver.te
+++ b/public/drmserver.te
@@ -2,7 +2,6 @@
type drmserver, domain;
type drmserver_exec, exec_type, file_type;
-init_daemon_domain(drmserver)
typeattribute drmserver mlstrustedsubject;
net_domain(drmserver)
@@ -10,7 +9,7 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
-binder_call(drmserver, { appdomain autoplay_app })
+binder_call(drmserver, { appdomain ephemeral_app })
binder_service(drmserver)
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
@@ -22,7 +21,7 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file autoplay_data_file}:file { read write getattr };
+allow drmserver { app_data_file ephemeral_data_file}:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
diff --git a/dumpstate.te b/public/dumpstate.te
similarity index 95%
rename from dumpstate.te
rename to public/dumpstate.te
index 9f3370e..690e843 100644
--- a/dumpstate.te
+++ b/public/dumpstate.te
@@ -2,7 +2,6 @@
type dumpstate, domain, domain_deprecated, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
-init_daemon_domain(dumpstate)
net_domain(dumpstate)
binder_use(dumpstate)
wakelock_use(dumpstate)
@@ -50,7 +49,7 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain autoplay_app system_server }:process signal;
+allow dumpstate { appdomain ephemeral_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
@@ -80,9 +79,6 @@
surfaceflinger
}:debuggerd dump_backtrace;
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
# Vibrate the device after we're done collecting the bugreport
# /sys/class/timed_output/vibrator/enable
# TODO: create a new file class, instead of allowing write access to all of /sys
@@ -101,7 +97,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain autoplay_app netd wificond })
+binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
new file mode 100644
index 0000000..200d78f
--- /dev/null
+++ b/public/ephemeral_app.te
@@ -0,0 +1,106 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+type ephemeral_app, domain;
+
+# allow JITing
+allow ephemeral_app self:process execmem;
+allow ephemeral_app ashmem_device:chr_file execute;
+
+# Map with PROT_EXEC.
+allow ephemeral_app ephemeral_app_tmpfs:file execute;
+
+# Read system properties managed by zygote.
+allow ephemeral_app zygote_tmpfs:file read;
+
+# Send logcat messages to logd.
+write_logd(ephemeral_app)
+
+# Receive and use open file descriptors inherited from zygote.
+allow ephemeral_app zygote:fd use;
+
+# Notify zygote of death;
+allow ephemeral_app zygote:process sigchld;
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow ephemeral_app zygote:unix_dgram_socket write;
+
+# App sandbox file accesses.
+allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
+allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
+
+# For art.
+allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
+allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
+allow ephemeral_app dalvikcache_data_file:dir getattr;
+
+# Grant GPU access. ephemeral_app needs that to render the standard UI.
+allow ephemeral_app gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(ephemeral_app)
+# Perform binder IPC to binder services.
+binder_call(ephemeral_app, surfaceflinger)
+binder_call(ephemeral_app, system_server)
+
+# Allow read access to ion memory allocation device
+allow ephemeral_app ion_device:chr_file { read open };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow ephemeral_app system_server:fifo_file rw_file_perms;
+allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Inherit or receive open files from system_server.
+allow ephemeral_app system_server:fd use;
+
+# Communicate with surfaceflinger.
+allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# Read files already opened under /data.
+allow ephemeral_app system_data_file:file { getattr read };
+allow ephemeral_app system_data_file:lnk_file read;
+
+# System file accesses. Check for libraries
+allow ephemeral_app system_file:dir getattr;
+
+# services
+allow ephemeral_app accessibility_service:service_manager find;
+allow ephemeral_app activity_service:service_manager find;
+allow ephemeral_app assetatlas_service:service_manager find;
+allow ephemeral_app connectivity_service:service_manager find;
+allow ephemeral_app display_service:service_manager find;
+allow ephemeral_app graphicsstats_service:service_manager find;
+allow ephemeral_app input_method_service:service_manager find;
+allow ephemeral_app input_service:service_manager find;
+allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app textservices_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
diff --git a/file.te b/public/file.te
similarity index 98%
rename from file.te
rename to public/file.te
index 7c6c5a8..4867b67 100644
--- a/file.te
+++ b/public/file.te
@@ -41,6 +41,7 @@
type sysfs_lowmemorykiller, fs_type, sysfs_type;
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
@@ -141,6 +142,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
+type audiohal_data_file, file_type, data_file_type;
type audioserver_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type;
@@ -171,7 +173,7 @@
typealias audio_data_file alias audio_firmware_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
-type autoplay_data_file, file_type, data_file_type;
+type ephemeral_data_file, file_type, data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
diff --git a/fingerprintd.te b/public/fingerprintd.te
similarity index 94%
rename from fingerprintd.te
rename to public/fingerprintd.te
index 09d39b1..b541e34 100644
--- a/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,8 +1,6 @@
type fingerprintd, domain, domain_deprecated;
type fingerprintd_exec, exec_type, file_type;
-# fingerprintd
-init_daemon_domain(fingerprintd)
binder_use(fingerprintd)
# need to find KeyStore and add self
diff --git a/fsck.te b/public/fsck.te
similarity index 97%
rename from fsck.te
rename to public/fsck.te
index 9f372ce..bdbbd33 100644
--- a/fsck.te
+++ b/public/fsck.te
@@ -2,8 +2,6 @@
type fsck, domain, domain_deprecated;
type fsck_exec, exec_type, file_type;
-init_daemon_domain(fsck)
-
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
diff --git a/fsck_untrusted.te b/public/fsck_untrusted.te
similarity index 100%
rename from fsck_untrusted.te
rename to public/fsck_untrusted.te
diff --git a/gatekeeperd.te b/public/gatekeeperd.te
similarity index 96%
rename from gatekeeperd.te
rename to public/gatekeeperd.te
index bc4fe81..13d2db7 100644
--- a/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -2,7 +2,6 @@
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
-init_daemon_domain(gatekeeperd)
binder_service(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
diff --git a/global_macros b/public/global_macros
similarity index 100%
rename from global_macros
rename to public/global_macros
diff --git a/hci_attach.te b/public/hci_attach.te
similarity index 89%
rename from hci_attach.te
rename to public/hci_attach.te
index 543cae1..04b6113 100644
--- a/hci_attach.te
+++ b/public/hci_attach.te
@@ -1,8 +1,6 @@
type hci_attach, domain, domain_deprecated;
type hci_attach_exec, exec_type, file_type;
-init_daemon_domain(hci_attach)
-
allow hci_attach kernel:system module_request;
allow hci_attach hci_attach_dev:chr_file rw_file_perms;
allow hci_attach bluetooth_efs_file:dir r_dir_perms;
diff --git a/healthd.te b/public/healthd.te
similarity index 100%
rename from healthd.te
rename to public/healthd.te
diff --git a/hostapd.te b/public/hostapd.te
similarity index 97%
rename from hostapd.te
rename to public/hostapd.te
index 62f9cc7..b40bdc8 100644
--- a/hostapd.te
+++ b/public/hostapd.te
@@ -2,7 +2,7 @@
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
-init_daemon_domain(hostapd)
+
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };
diff --git a/hwservicemanager.te b/public/hwservicemanager.te
similarity index 94%
rename from hwservicemanager.te
rename to public/hwservicemanager.te
index 649e2b8..cbb47e5 100644
--- a/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,8 +2,6 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, exec_type, file_type;
-init_daemon_domain(hwservicemanager)
-
# Note that we do not use the binder_* macros here.
# hwservicemanager only provides name service (aka context manager)
# for Binder.
diff --git a/idmap.te b/public/idmap.te
similarity index 100%
rename from idmap.te
rename to public/idmap.te
diff --git a/init.te b/public/init.te
similarity index 95%
rename from init.te
rename to public/init.te
index 1512d0b..16bafc3 100644
--- a/init.te
+++ b/public/init.te
@@ -1,6 +1,5 @@
# init is its own domain.
type init, domain, domain_deprecated, mlstrustedsubject;
-tmpfs_domain(init)
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
@@ -224,21 +223,6 @@
allow init sysfs_type:lnk_file read;
allow init sysfs_type:file rw_file_perms;
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-recovery_only(`
- domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
- domain_auto_trans(init, logcat_exec, logd)
-')
-
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { open create read getattr setattr search };
diff --git a/inputflinger.te b/public/inputflinger.te
similarity index 92%
rename from inputflinger.te
rename to public/inputflinger.te
index b6a5f0b..bee392f 100644
--- a/inputflinger.te
+++ b/public/inputflinger.te
@@ -2,7 +2,6 @@
type inputflinger, domain, domain_deprecated;
type inputflinger_exec, exec_type, file_type;
-init_daemon_domain(inputflinger)
binder_use(inputflinger)
binder_service(inputflinger)
diff --git a/install_recovery.te b/public/install_recovery.te
similarity index 95%
rename from install_recovery.te
rename to public/install_recovery.te
index b11ff74..132b03d 100644
--- a/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,8 +2,6 @@
type install_recovery, domain, domain_deprecated;
type install_recovery_exec, exec_type, file_type;
-init_daemon_domain(install_recovery)
-
allow install_recovery self:capability dac_override;
# /system/bin/install-recovery.sh is a shell script.
diff --git a/installd.te b/public/installd.te
similarity index 93%
rename from installd.te
rename to public/installd.te
index 317ae7c..a544d5b 100644
--- a/installd.te
+++ b/public/installd.te
@@ -1,8 +1,6 @@
# installer daemon
type installd, domain, domain_deprecated;
type installd_exec, exec_type, file_type;
-
-init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
@@ -64,15 +62,6 @@
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
@@ -97,7 +86,7 @@
radio_data_file
shell_data_file
app_data_file
- autoplay_data_file
+ ephemeral_data_file
}:dir { create_dir_perms relabelfrom relabelto };
allow installd {
@@ -107,7 +96,7 @@
radio_data_file
shell_data_file
app_data_file
- autoplay_data_file
+ ephemeral_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Similar for the files under /data/misc/profiles/
diff --git a/ioctl_defines b/public/ioctl_defines
similarity index 100%
rename from ioctl_defines
rename to public/ioctl_defines
diff --git a/ioctl_macros b/public/ioctl_macros
similarity index 100%
rename from ioctl_macros
rename to public/ioctl_macros
diff --git a/isolated_app.te b/public/isolated_app.te
similarity index 90%
rename from isolated_app.te
rename to public/isolated_app.te
index 14e7f29..081849e 100644
--- a/isolated_app.te
+++ b/public/isolated_app.te
@@ -76,3 +76,10 @@
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket
} *;
+
+# Do not allow isolated_app to access external storage
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:file_class_set *;
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/kernel.te b/public/kernel.te
similarity index 98%
rename from kernel.te
rename to public/kernel.te
index 3608a10..556904c 100644
--- a/kernel.te
+++ b/public/kernel.te
@@ -67,8 +67,6 @@
allow kernel nativetest_data_file:file read;
')
-domain_auto_trans(kernel, init_exec, init)
-
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/keystore.te b/public/keystore.te
similarity index 97%
rename from keystore.te
rename to public/keystore.te
index 3d7bd92..4215017 100644
--- a/keystore.te
+++ b/public/keystore.te
@@ -2,7 +2,6 @@
type keystore_exec, exec_type, file_type;
# keystore daemon
-init_daemon_domain(keystore)
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
diff --git a/lmkd.te b/public/lmkd.te
similarity index 91%
rename from lmkd.te
rename to public/lmkd.te
index 5302bcd..8e3c61a 100644
--- a/lmkd.te
+++ b/public/lmkd.te
@@ -2,8 +2,6 @@
type lmkd, domain, domain_deprecated, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-init_daemon_domain(lmkd)
-
allow lmkd self:capability { dac_override sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
@@ -16,8 +14,8 @@
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
-r_dir_file(lmkd, autoplay_app)
-allow lmkd autoplay_app:file write;
+r_dir_file(lmkd, ephemeral_app)
+allow lmkd ephemeral_app:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;
diff --git a/logd.te b/public/logd.te
similarity index 98%
rename from logd.te
rename to public/logd.te
index c9072f3..1171ebf 100644
--- a/logd.te
+++ b/public/logd.te
@@ -2,8 +2,6 @@
type logd, domain, mlstrustedsubject;
type logd_exec, exec_type, file_type;
-init_daemon_domain(logd)
-
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
r_dir_file(logd, proc)
diff --git a/mdnsd.te b/public/mdnsd.te
similarity index 85%
rename from mdnsd.te
rename to public/mdnsd.te
index a9dc7c5..c32b433 100644
--- a/mdnsd.te
+++ b/public/mdnsd.te
@@ -2,7 +2,6 @@
type mdnsd, domain, mlstrustedsubject;
type mdnsd_exec, exec_type, file_type;
-init_daemon_domain(mdnsd)
net_domain(mdnsd)
# Read from /proc/net
diff --git a/mediacodec.te b/public/mediacodec.te
similarity index 96%
rename from mediacodec.te
rename to public/mediacodec.te
index 3d3625a..0b562c1 100644
--- a/mediacodec.te
+++ b/public/mediacodec.te
@@ -4,8 +4,6 @@
typeattribute mediacodec mlstrustedsubject;
-init_daemon_domain(mediacodec)
-
binder_use(mediacodec)
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
diff --git a/mediadrmserver.te b/public/mediadrmserver.te
similarity index 97%
rename from mediadrmserver.te
rename to public/mediadrmserver.te
index d9368ad..db8e082 100644
--- a/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -5,8 +5,6 @@
typeattribute mediadrmserver mlstrustedsubject;
net_domain(mediadrmserver)
-init_daemon_domain(mediadrmserver)
-
binder_use(mediadrmserver)
binder_call(mediadrmserver, binderservicedomain)
binder_call(mediadrmserver, appdomain)
diff --git a/mediaextractor.te b/public/mediaextractor.te
similarity index 95%
rename from mediaextractor.te
rename to public/mediaextractor.te
index fe87447..ec0ce31 100644
--- a/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -4,8 +4,6 @@
typeattribute mediaextractor mlstrustedsubject;
-init_daemon_domain(mediaextractor)
-
binder_use(mediaextractor)
binder_call(mediaextractor, binderservicedomain)
binder_call(mediaextractor, appdomain)
diff --git a/mediaserver.te b/public/mediaserver.te
similarity index 96%
rename from mediaserver.te
rename to public/mediaserver.te
index e55c778..94566e0 100644
--- a/mediaserver.te
+++ b/public/mediaserver.te
@@ -5,7 +5,6 @@
typeattribute mediaserver mlstrustedsubject;
net_domain(mediaserver)
-init_daemon_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
@@ -23,7 +22,7 @@
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, { appdomain autoplay_app })
+binder_call(mediaserver, { appdomain ephemeral_app })
binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
@@ -49,7 +48,7 @@
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
-allow mediaserver { appdomain autoplay_app }:fifo_file { getattr read write };
+allow mediaserver { appdomain ephemeral_app }:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
diff --git a/mtp.te b/public/mtp.te
similarity index 91%
rename from mtp.te
rename to public/mtp.te
index 02d4b56..0ca7cea 100644
--- a/mtp.te
+++ b/public/mtp.te
@@ -2,7 +2,6 @@
type mtp, domain, domain_deprecated;
type mtp_exec, exec_type, file_type;
-init_daemon_domain(mtp)
net_domain(mtp)
# pptp policy
diff --git a/net.te b/public/net.te
similarity index 100%
rename from net.te
rename to public/net.te
diff --git a/netd.te b/public/netd.te
similarity index 96%
rename from netd.te
rename to public/netd.te
index f01022a..dc4a1b3 100644
--- a/netd.te
+++ b/public/netd.te
@@ -2,7 +2,6 @@
type netd, domain, domain_deprecated, mlstrustedsubject;
type netd_exec, exec_type, file_type;
-init_daemon_domain(netd)
net_domain(netd)
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
@@ -52,11 +51,9 @@
allow netd self:capability fowner;
# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd dnsmasq:process signal;
# Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
allow netd clatd:process signal;
set_prop(netd, ctl_mdnsd_prop)
diff --git a/neverallow_macros b/public/neverallow_macros
similarity index 100%
rename from neverallow_macros
rename to public/neverallow_macros
diff --git a/nfc.te b/public/nfc.te
similarity index 100%
rename from nfc.te
rename to public/nfc.te
diff --git a/otapreopt_chroot.te b/public/otapreopt_chroot.te
similarity index 82%
rename from otapreopt_chroot.te
rename to public/otapreopt_chroot.te
index fcba7b1..c071f44 100644
--- a/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -10,9 +10,8 @@
# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;
allow otapreopt_chroot labeledfs:filesystem mount;
-
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
diff --git a/otapreopt_slot.te b/public/otapreopt_slot.te
similarity index 89%
rename from otapreopt_slot.te
rename to public/otapreopt_slot.te
index 2f4da0a..5745ba7 100644
--- a/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -6,9 +6,6 @@
type otapreopt_slot, domain, mlstrustedsubject;
type otapreopt_slot_exec, exec_type, file_type;
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
# the directory afterwards. For logging of aggregate size, we need getattr.
diff --git a/platform_app.te b/public/platform_app.te
similarity index 100%
rename from platform_app.te
rename to public/platform_app.te
diff --git a/postinstall.te b/public/postinstall.te
similarity index 94%
rename from postinstall.te
rename to public/postinstall.te
index 0f6bb74..7fd4dc6 100644
--- a/postinstall.te
+++ b/public/postinstall.te
@@ -30,8 +30,6 @@
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/postinstall_dexopt.te b/public/postinstall_dexopt.te
similarity index 90%
rename from postinstall_dexopt.te
rename to public/postinstall_dexopt.te
index e0cc257..5fdc510 100644
--- a/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,6 @@
type postinstall_dexopt, domain;
-# init_daemon_domain(otapreopt)
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -43,9 +42,6 @@
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
# Postinstall wants to know about our child.
allow postinstall_dexopt postinstall:process sigchld;
diff --git a/ppp.te b/public/ppp.te
similarity index 92%
rename from ppp.te
rename to public/ppp.te
index 3fb6f2b0..5708822 100644
--- a/ppp.te
+++ b/public/ppp.te
@@ -2,7 +2,6 @@
type ppp, domain, domain_deprecated;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
-domain_auto_trans(mtp, ppp_exec, ppp)
net_domain(ppp)
diff --git a/preopt2cachename.te b/public/preopt2cachename.te
similarity index 100%
rename from preopt2cachename.te
rename to public/preopt2cachename.te
diff --git a/priv_app.te b/public/priv_app.te
similarity index 100%
rename from priv_app.te
rename to public/priv_app.te
diff --git a/profman.te b/public/profman.te
similarity index 100%
rename from profman.te
rename to public/profman.te
diff --git a/property.te b/public/property.te
similarity index 100%
rename from property.te
rename to public/property.te
diff --git a/racoon.te b/public/racoon.te
similarity index 89%
rename from racoon.te
rename to public/racoon.te
index c3666bd..3255b9e 100644
--- a/racoon.te
+++ b/public/racoon.te
@@ -1,11 +1,11 @@
# IKE key management daemon
-type racoon, domain, domain_deprecated;
+type racoon, domain;
type racoon_exec, exec_type, file_type;
-init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
net_domain(racoon)
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR };
binder_use(racoon)
diff --git a/radio.te b/public/radio.te
similarity index 100%
rename from radio.te
rename to public/radio.te
diff --git a/recovery.te b/public/recovery.te
similarity index 97%
rename from recovery.te
rename to public/recovery.te
index eeb8bf9..bd701d9 100644
--- a/recovery.te
+++ b/public/recovery.te
@@ -66,8 +66,6 @@
allow recovery dev_type:blk_file rw_file_perms;
# GUI
- allow recovery self:process execmem;
- allow recovery ashmem_device:chr_file execute;
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
diff --git a/recovery_persist.te b/public/recovery_persist.te
similarity index 95%
rename from recovery_persist.te
rename to public/recovery_persist.te
index 19a240f..1abcc7c 100644
--- a/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -2,8 +2,6 @@
type recovery_persist, domain;
type recovery_persist_exec, exec_type, file_type;
-init_daemon_domain(recovery_persist)
-
allow recovery_persist pstorefs:dir search;
allow recovery_persist pstorefs:file r_file_perms;
diff --git a/recovery_refresh.te b/public/recovery_refresh.te
similarity index 95%
rename from recovery_refresh.te
rename to public/recovery_refresh.te
index 9fae110..5707e7b 100644
--- a/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -2,8 +2,6 @@
type recovery_refresh, domain;
type recovery_refresh_exec, exec_type, file_type;
-init_daemon_domain(recovery_refresh)
-
allow recovery_refresh pstorefs:dir search;
allow recovery_refresh pstorefs:file r_file_perms;
# NB: domain inherits write_logd which hands us write to pmsg_device
diff --git a/rild.te b/public/rild.te
similarity index 98%
rename from rild.te
rename to public/rild.te
index 0d834e1..85aa044 100644
--- a/rild.te
+++ b/public/rild.te
@@ -2,7 +2,6 @@
type rild, domain, domain_deprecated;
type rild_exec, exec_type, file_type;
-init_daemon_domain(rild)
net_domain(rild)
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
diff --git a/runas.te b/public/runas.te
similarity index 92%
rename from runas.te
rename to public/runas.te
index 58a1bdc..21bd880 100644
--- a/runas.te
+++ b/public/runas.te
@@ -1,8 +1,6 @@
type runas, domain, domain_deprecated, mlstrustedsubject;
type runas_exec, exec_type, file_type;
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
allow runas adbd:process sigchld;
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
diff --git a/sdcardd.te b/public/sdcardd.te
similarity index 94%
rename from sdcardd.te
rename to public/sdcardd.te
index 846c59b..52037e6 100644
--- a/sdcardd.te
+++ b/public/sdcardd.te
@@ -14,7 +14,6 @@
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
allow sdcardd media_rw_data_file:dir create_dir_perms;
allow sdcardd media_rw_data_file:file create_file_perms;
diff --git a/service.te b/public/service.te
similarity index 96%
rename from service.te
rename to public/service.te
index 9c8da49..33ce13f 100644
--- a/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type appwidget_service, app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, system_server_service, service_manager_type;
+type autofill_service, app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
@@ -38,6 +39,7 @@
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
+type connectivity_metrics_logger_service, app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type;
type connmetrics_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
@@ -122,5 +124,6 @@
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
type wificond_service, system_server_service, service_manager_type;
+type wifinan_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type wpa_supplicant_service, system_server_service, service_manager_type;
diff --git a/servicemanager.te b/public/servicemanager.te
similarity index 94%
rename from servicemanager.te
rename to public/servicemanager.te
index 4f07a55..469c637 100644
--- a/servicemanager.te
+++ b/public/servicemanager.te
@@ -2,8 +2,6 @@
type servicemanager, domain, domain_deprecated, mlstrustedsubject;
type servicemanager_exec, exec_type, file_type;
-init_daemon_domain(servicemanager)
-
# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
diff --git a/sgdisk.te b/public/sgdisk.te
similarity index 100%
rename from sgdisk.te
rename to public/sgdisk.te
diff --git a/shared_relro.te b/public/shared_relro.te
similarity index 100%
rename from shared_relro.te
rename to public/shared_relro.te
diff --git a/shell.te b/public/shell.te
similarity index 100%
rename from shell.te
rename to public/shell.te
diff --git a/slideshow.te b/public/slideshow.te
similarity index 100%
rename from slideshow.te
rename to public/slideshow.te
diff --git a/surfaceflinger.te b/public/surfaceflinger.te
similarity index 92%
rename from surfaceflinger.te
rename to public/surfaceflinger.te
index d02fc93..2afb7d1 100644
--- a/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -2,13 +2,12 @@
type surfaceflinger, domain, domain_deprecated;
type surfaceflinger_exec, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, { appdomain autoplay_app })
+binder_call(surfaceflinger, { appdomain ephemeral_app })
binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger)
@@ -17,7 +16,7 @@
# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, { appdomain autoplay_app })
+r_dir_file(surfaceflinger, { appdomain ephemeral_app })
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -38,7 +37,7 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
-allow surfaceflinger { appdomain autoplay_app }:fd use;
+allow surfaceflinger { appdomain ephemeral_app }:fd use;
allow surfaceflinger app_data_file:file { read write };
# Allow a dumpstate triggered screenshot
diff --git a/system_app.te b/public/system_app.te
similarity index 100%
rename from system_app.te
rename to public/system_app.te
diff --git a/system_server.te b/public/system_server.te
similarity index 95%
rename from system_server.te
rename to public/system_server.te
index b9fe97b..249a3d3 100644
--- a/system_server.te
+++ b/public/system_server.te
@@ -4,9 +4,6 @@
#
type system_server, domain, domain_deprecated, mlstrustedsubject;
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -90,10 +87,10 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server { appdomain autoplay_app }:process { sigkill signal };
+allow system_server { appdomain ephemeral_app }:process { sigkill signal };
# Set scheduling info for apps.
-allow system_server { appdomain autoplay_app }:process { getsched setsched };
+allow system_server { appdomain ephemeral_app }:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
@@ -150,10 +147,12 @@
# Perform Binder IPC.
binder_use(system_server)
+binder_call(system_server, android_hardware_vibrator_service)
+binder_call(system_server, android_hardware_vr)
binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
binder_call(system_server, fingerprintd)
-binder_call(system_server, { appdomain autoplay_app })
+binder_call(system_server, { appdomain ephemeral_app })
binder_call(system_server, dumpstate)
binder_call(system_server, netd)
binder_call(system_server, wificond)
@@ -199,6 +198,9 @@
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
+# TODO: Remove when HALs are forced into separate processes
+allow system_server sysfs_vibrator:file write;
+
# TODO: added to match above sysfs rule. Remove me?
allow system_server sysfs_usb:file w_file_perms;
@@ -292,7 +294,7 @@
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file autoplay_data_file }:dir { getattr read search };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file ephemeral_data_file }:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
@@ -369,7 +371,6 @@
allow system_server wpa_socket:sock_file unlink;
# Create a socket for connections from debuggerd.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files.
@@ -388,8 +389,8 @@
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
-allow system_server { appdomain autoplay_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server { appdomain autoplay_app }:{ fifo_file unix_stream_socket } { getattr read write };
+allow system_server { appdomain ephemeral_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server { appdomain ephemeral_app }:{ fifo_file unix_stream_socket } { getattr read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
@@ -559,6 +560,9 @@
r_dir_file(system_server, rootfs)
r_dir_file(system_server, sysfs_type)
+# Allow system_server to make binder calls to hwservicemanager
+binder_call(system_server, hwservicemanager)
+
###
### Neverallow rules
diff --git a/te_macros b/public/te_macros
similarity index 100%
rename from te_macros
rename to public/te_macros
diff --git a/tee.te b/public/tee.te
similarity index 96%
rename from tee.te
rename to public/tee.te
index 3d4cc2f..a95be88 100644
--- a/tee.te
+++ b/public/tee.te
@@ -6,7 +6,6 @@
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
-init_daemon_domain(tee)
allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;
diff --git a/toolbox.te b/public/toolbox.te
similarity index 96%
rename from toolbox.te
rename to public/toolbox.te
index 7767079..59c3a9c 100644
--- a/toolbox.te
+++ b/public/toolbox.te
@@ -4,8 +4,6 @@
type toolbox, domain;
type toolbox_exec, exec_type, file_type;
-init_daemon_domain(toolbox)
-
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };
diff --git a/tzdatacheck.te b/public/tzdatacheck.te
similarity index 87%
rename from tzdatacheck.te
rename to public/tzdatacheck.te
index f61cb47..37daa75 100644
--- a/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -2,7 +2,5 @@
type tzdatacheck, domain, domain_deprecated;
type tzdatacheck_exec, exec_type, file_type;
-init_daemon_domain(tzdatacheck)
-
allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/ueventd.te b/public/ueventd.te
similarity index 98%
rename from ueventd.te
rename to public/ueventd.te
index d4880fa..46787c4 100644
--- a/ueventd.te
+++ b/public/ueventd.te
@@ -1,7 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain, domain_deprecated;
-tmpfs_domain(ueventd)
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/uncrypt.te b/public/uncrypt.te
similarity index 97%
rename from uncrypt.te
rename to public/uncrypt.te
index 308e0f6..ef1289c 100644
--- a/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,8 +2,6 @@
type uncrypt, domain, domain_deprecated, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-init_daemon_domain(uncrypt)
-
allow uncrypt self:capability dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
diff --git a/untrusted_app.te b/public/untrusted_app.te
similarity index 100%
rename from untrusted_app.te
rename to public/untrusted_app.te
diff --git a/update_engine.te b/public/update_engine.te
similarity index 97%
rename from update_engine.te
rename to public/update_engine.te
index fa3f05c..a3dee0d 100644
--- a/update_engine.te
+++ b/public/update_engine.te
@@ -4,7 +4,6 @@
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
-init_daemon_domain(update_engine);
net_domain(update_engine);
# Following permissions are needed for update_engine.
diff --git a/update_engine_common.te b/public/update_engine_common.te
similarity index 87%
rename from update_engine_common.te
rename to public/update_engine_common.te
index e70e44d..29581dd 100644
--- a/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,9 +24,6 @@
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
diff --git a/update_verifier.te b/public/update_verifier.te
similarity index 93%
rename from update_verifier.te
rename to public/update_verifier.te
index 09d5fc4..731b623 100644
--- a/update_verifier.te
+++ b/public/update_verifier.te
@@ -3,8 +3,6 @@
type update_verifier, domain, boot_control_hal;
type update_verifier_exec, exec_type, file_type;
-init_daemon_domain(update_verifier)
-
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
diff --git a/vdc.te b/public/vdc.te
similarity index 96%
rename from vdc.te
rename to public/vdc.te
index d31be65..394ac96 100644
--- a/vdc.te
+++ b/public/vdc.te
@@ -8,8 +8,6 @@
type vdc, domain, domain_deprecated;
type vdc_exec, exec_type, file_type;
-init_daemon_domain(vdc)
-
unix_socket_connect(vdc, vold, vold)
# vdc sends information back to dumpstate when "adb bugreport" is used
diff --git a/vold.te b/public/vold.te
similarity index 89%
rename from vold.te
rename to public/vold.te
index 6e0fa16..afe55c0 100644
--- a/vold.te
+++ b/public/vold.te
@@ -2,12 +2,6 @@
type vold, domain, domain_deprecated;
type vold_exec, exec_type, file_type;
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
# Read already opened /cache files.
allow vold cache_file:dir r_dir_perms;
allow vold cache_file:file { getattr read };
@@ -25,13 +19,6 @@
r_dir_file(vold, rootfs)
allow vold proc_meminfo:file r_file_perms;
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
@@ -58,11 +45,6 @@
allow vold media_rw_data_file:dir create_dir_perms;
allow vold media_rw_data_file:file create_file_perms;
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
allow vold sdcard_type:filesystem { mount unmount remount };
diff --git a/watchdogd.te b/public/watchdogd.te
similarity index 100%
rename from watchdogd.te
rename to public/watchdogd.te
diff --git a/wifi_hal_legacy.te b/public/wifi_hal_legacy.te
similarity index 91%
rename from wifi_hal_legacy.te
rename to public/wifi_hal_legacy.te
index a7fce57..ccdd96c 100644
--- a/wifi_hal_legacy.te
+++ b/public/wifi_hal_legacy.te
@@ -2,9 +2,6 @@
type wifi_hal_legacy, domain;
type wifi_hal_legacy_exec, exec_type, file_type;
-# may be started by init
-init_daemon_domain(wifi_hal_legacy)
-
## hwbinder access
hwbinder_use(wifi_hal_legacy)
diff --git a/wificond.te b/public/wificond.te
similarity index 97%
rename from wificond.te
rename to public/wificond.te
index 673394a..82c10c1 100644
--- a/wificond.te
+++ b/public/wificond.te
@@ -2,8 +2,6 @@
type wificond, domain;
type wificond_exec, exec_type, file_type;
-init_daemon_domain(wificond)
-
binder_use(wificond)
binder_call(wificond, system_server)
binder_call(wificond, wpa)
diff --git a/wpa.te b/public/wpa.te
similarity index 94%
rename from wpa.te
rename to public/wpa.te
index dfb73dc..3cb042b 100644
--- a/wpa.te
+++ b/public/wpa.te
@@ -2,8 +2,6 @@
type wpa, domain, domain_deprecated;
type wpa_exec, exec_type, file_type;
-init_daemon_domain(wpa)
-
net_domain(wpa)
# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;
@@ -29,7 +27,6 @@
allow wpa wpa_supplicant_service:service_manager { add find };
# Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;
diff --git a/zygote.te b/public/zygote.te
similarity index 90%
rename from zygote.te
rename to public/zygote.te
index 9f210ed..bb411e8 100644
--- a/zygote.te
+++ b/public/zygote.te
@@ -2,7 +2,6 @@
type zygote, domain, domain_deprecated;
type zygote_exec, exec_type, file_type;
-init_daemon_domain(zygote)
typeattribute zygote mlstrustedsubject;
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner chown };
@@ -11,13 +10,13 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
-allow zygote { appdomain autoplay_app }:process dyntransition;
+allow zygote { appdomain ephemeral_app }:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872)
-allow zygote { appdomain autoplay_app }:dir { getattr search };
-allow zygote { appdomain autoplay_app }:file { r_file_perms };
+allow zygote { appdomain ephemeral_app }:dir { getattr search };
+allow zygote { appdomain ephemeral_app }:file { r_file_perms };
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
-allow zygote { appdomain autoplay_app }:process { getpgid setpgid };
+allow zygote { appdomain ephemeral_app }:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
@@ -99,7 +98,7 @@
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
-neverallow zygote ~{ appdomain autoplay_app system_server }:process dyntransition;
+neverallow zygote ~{ appdomain ephemeral_app system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 35e6238..d8fa636 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -202,7 +202,7 @@
key_map rules[] = {
/*Inputs*/
{ .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
- { .name = "isAutoPlayApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isEphemeralApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "user", .dir = dir_in, },
{ .name = "seinfo", .dir = dir_in, },
@@ -897,8 +897,7 @@
}
if (sepol_policydb_read(pol.db, pol.pf) < 0) {
- log_error("Could not lod policy file to db: %s!\n",
- strerror(errno));
+ log_error("Could not load policy file to db: invalid input file!\n");
exit(EXIT_FAILURE);
}
}
@@ -987,6 +986,7 @@
list *list_to_addto;
e.key = rm->key;
+ e.data = NULL;
log_info("Searching for key: %s\n", e.key);
/* Check to see if it has already been added*/
diff --git a/tools/checkfc.c b/tools/checkfc.c
index e7d19b0..8a28f3c 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -346,7 +346,7 @@
break;
case 's':
mode = filemode_service_contexts;
- backend = SELABEL_CTX_ANDROID_PROP;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
break;
case 'h':
default: